APAR status
Closed as program error.
Error description
Key Certificate Management (KCM) produces certificates with incorrect Authority Key Identifier (AKI) extension values when the signing certificate was not generated by KCM. Error Message, as reported by customer: Complete certificate chain is not presented. The AKI/SKI Java is generating for the chained certificate are not matching. The chained certificate is not recognized by Java as a chain because AKI/SKI does not match. Stack Trace, if applicable: N/A Other Error Information, as reported by customer: N/A
Local fix
Workaround: Use the same tool to create all certificates; i.e KeyTool, iKeyman or KCM.
Problem summary
Key Certificate Manager Authority Key Identifier value incorrect. PROBLEM DESCRIPTION: Authority Key Identifier and Subject Key Identifier mismatch in certificate chain causes validation failure.The key identifier value generated by Key Certificate Management is different than that generated by Keytool or iKeyman.The certificate chain will not validate when the Subject Key Identifier (SKI) of the signer certificate does not match the Authority Key Identifier (AKI) of the signed certificate. Certificate chains containing certificates generated by iKeyman, Keytool and Key Certificate Management fail to validate due to AKI/SKI mismatch. Error message :The extended error message from the SSL handshake exception is: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors.
Problem conclusion
Key Certificate Management was modified to copy the SKI value of the signing certificate to the AKI value of the signed certificate. The associated Hursley RTC Problem Report is 147372 The associated Austin GIT defect is IBMKCM#18 The associated Austin APAR is IJ38324 JVMs affected: Java 8.0 The fix was delivered for Java 8 sr7 fp10 The affected jar is "ibmkeycert.jar". The build level of this jar for the affected releases is Java 8 build_20220408--77
Temporary fix
Comments
APAR Information
APAR number
IJ38324
Reported component name
TIV SEC COMPONE
Reported component ID
TIVOSEC00
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-03-09
Closed date
2022-04-14
Last modified date
2022-04-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV SEC COMPONE
Fixed component ID
TIVOSEC00
Applicable component levels
[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSWKFH","label":"Tivoli Components - Java Security"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"600"}]
Document Information
Modified date:
29 April 2022